Engineering Commons^™

Magneto-Optical Visualisation For High-Resolution Forensic Data Recovery Using Advanced Thin Film Nano-Materials, M Nur-E-Alam, Mikhail Vasiliev, Kamal Alameh, Craig Valli

Mikhail Vasiliev

We develop and characterise new high-performance nano-engineered magneto-optic materials for use in laser-microscopy- based magnetic field visualisers featuring high sensitivity and resolution, low cost and small size. This type of visualisers will make it possible for forensic experts to recover erased data previously stored in high- and ultrahigh-density magnetic disks and hard disk drives.

Magneto-Optical Visualisation For High-Resolution Forensic Data Recovery Using Advanced Thin Film Nano-Materials, M Nur-E-Alam, Mikhail Vasiliev, Kamal Alameh, Craig Valli

Mikhail Vasiliev

We develop and characterise new high-performance nano-engineered magneto-optic materials for use in laser-microscopy- based magnetic field visualisers featuring high sensitivity and resolution, low cost and small size. This type of visualisers will make it possible for forensic experts to recover erased data previously stored in high- and ultrahigh-density magnetic disks and hard disk drives.

Cyber Blackbox For Collecting Network Evidence, Jooyoung Lee, Sunoh Choi, Yangseo Choi, Jonghyun Kim, Ikkyun Kim, Youngseok Lee

Australian Digital Forensics Conference

In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting …

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice E. Fischer

Electrical & Computer Engineering and Computer Science Faculty Publications

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and …

Identification And Exploitation Of Inadvertent Spectral Artifacts In Digital Audio, N. C. Donnangelo, W. S. Kuklinski, R. Szabo, R. A. Coury, G. R. Hamshar

Journal of Digital Forensics, Security and Law

We show that modulation products from local oscillators in a variety of commercial camcorders are coupled into the recorded audio track, creating narrow band time invariant spectral features. These spectral features, left largely intact by transcoding, compression and other forms of audiovisual post processing, can encode characteristics of specific camcorders used to capture the audio files, including the make and model. Using data sets both downloaded from YouTube and collected under controlled laboratory conditions we demonstrate an average probability of detection (Pd) approaching 0.95 for identification of a specific camcorder in a population of thousands of similar recordings, with a …

Factors Influencing Digital Forensic Investigations: Empirical Evaluation Of 12 Years Of Dubai Police Cases, Ibtesam Alawadhi, Janet C. Read, Andrew Marrington, Virginia N. L. Franqueira

Journal of Digital Forensics, Security and Law

In Digital Forensics, the number of person-hours spent on investigation is a key factor which needs to be kept to a minimum whilst also paying close attention to the authenticity of the evidence. The literature describes challenges behind increasing person-hours and identifies several factors which contribute to this phenomenon. This paper reviews these factors and demonstrates that they do not wholly account for increases in investigation time. Using real case records from the Dubai Police, an extensive study explains the contribution of other factors to the increase in person-hours. We conclude this work by emphasizing on several factors affecting the …

Preliminary Forensic Analysis Of The Xbox One, Jason Moore, Ibrahim Baggili, Andrew Marrington, Armindo Rodrigues

Electrical & Computer Engineering and Computer Science Faculty Publications

Video game consoles can no longer be viewed as just gaming consoles but rather as full multimedia machines, capable of desktop computer-like performance. The past has shown that game consoles have been used in criminal activities such as extortion, identity theft, and child pornography, but with their ever-increasing capabilities, the likelihood of the expansion of criminal activities conducted on or over the consoles increases. This research aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft console to date. We report the outcome of conducting a forensic examination of the Xbox One, and we provide …

Forensicloud: An Architecture For Digital Forensic Analysis In The Cloud, Cody Miller, Dae Glendowne, David Dampier, Kendall Blaylock

Computer Sciences and Electrical Engineering Faculty Research

The amount of data that must be processed in current digital forensic examinations continues to rise. Both the volume and diversity of data are obstacles to the timely completion of forensic investigations. Additionally, some law enforcement agencies do not have the resources to handle cases of even moderate size. To address these issues we have developed an architecture for a cloud-based distributed processing platform we have named Forensicloud. This architecture is designed to reduce the time taken to process digital evidence by leveraging the power of a high performance computing platform and by adapting existing tools to operate within this …

On The Database Lookup Problem Of Approximate Matching, Frank Breitinger, Harald Baier, Douglas White

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics gets more and more difficult due to the increasing amount of data. Hence, a common procedure uses automated file identification which reduces the amount of data an investigator has to look at by hand. Besides identifying exact duplicates, which is mostly solved using cryptographic hash functions, it is also helpful to detect similar data by applying approximate matching.

Let x denote the number of digests in a database, then the lookup for a single similarity digest has the complexity of O(x). In other words, the digest has to be compared against …

Automated Evaluation Of Approximate Matching Algorithms On Real Data, Frank Breitinger, Vassil Roussev

Electrical & Computer Engineering and Computer Science Faculty Publications

Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to screen and analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similarrepresentations.

Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages and evaluation methodology is still evolving. Broadly, prior approaches have …

A User-Oriented Network Forensic Analyser: The Design Of A High-Level Protocol Analyser, D Joy, F Li, N L. Clarke, S M. Furnell

Australian Digital Forensics Conference

Network forensics is becoming an increasingly important tool in the investigation of cyber and computer-assisted crimes. Unfortunately, whilst much effort has been undertaken in developing computer forensic file system analysers (e.g. Encase and FTK), such focus has not been given to Network Forensic Analysis Tools (NFATs). The single biggest barrier to effective NFATs is the handling of large volumes of low-level traffic and being able to exact and interpret forensic artefacts and their context – for example, being able extract and render application-level objects (such as emails, web pages and documents) from the low-level TCP/IP traffic but also understand how …

A Forensic Overview Of The Lg Smart Tv, Iain Sutherland, Konstantino Xynos, Huw Read, Andy Jones, Tom Drange

Australian Digital Forensics Conference

The emerging Smart TV platform will likely replace traditional television sets over time as the entertainment and communication centrepiece in people’s homes. Given its expanded functionality and now, its online presence, there is a need to identify how they may become part of forensic investigations. The purpose of this paper is to introduce the area of Smart TVs and the potential forensic value these systems present in combination with their ever advancing functionality and capabilities. We provide an overview of Smart TV systems highlighting functionality and potential issues. We also take an initial look at two particular models, from the …

A Forensically-Enabled Iaas Cloud Computing Architecture, Saad Alqahtany, Nathan Clarke, Steven Furnell, Christoph Reich

Australian Digital Forensics Conference

Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures largely due to the dynamic nature of the cloud. Whilst much research has focused upon identifying the problems that are introduced with a cloud-based system, to date there is a significant lack of research on adapting current digital forensic tools and techniques to a cloud environment. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated …

An Efficient Similarity Digests Database Lookup -- A Logarithmic Divide And Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier

Electrical & Computer Engineering and Computer Science Faculty Publications

Investigating seized devices within digital forensics represents a challenging task due to the increasing amount of data. Common procedures utilize automated file identification, which reduces the amount of data an investigator has to examine manually. In the past years the research field of approximate matching arises to detect similar data. However, if n denotes the number of similarity digests in a database, then the lookup for a single similarity digest is of complexity of O(n). This paper presents a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(n) to O(log(n)). Our proposed approach is based …

Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practices, Shahzad Saleem, Ibrahim Baggili, Oliver Popov

Electrical & Computer Engineering and Computer Science Faculty Publications

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a data set of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant …

Using Internet Artifacts To Profile A Child Pornography Suspect, Marcus K. Rogers, Kathryn C. Seigfried-Spellar

Journal of Digital Forensics, Security and Law

Digital evidence plays a crucial role in child pornography investigations. However, in the following case study, the authors argue that the behavioral analysis or “profiling” of digital evidence can also play a vital role in child pornography investigations. The following case study assessed the Internet Browsing History (Internet Explorer Bookmarks, Mozilla Bookmarks, and Mozilla History) from a suspected child pornography user’s computer. The suspect in this case claimed to be conducting an ad hoc law enforcement investigation. After the URLs were classified (Neutral; Adult Porn; Child Porn; Adult Dating sites; Pictures from Social Networking Profiles; Chat Sessions; Bestiality; Data Cleaning; …

Audit: Automated Disk Investigation Toolkit, Umit Karabiyik, Sudhir Aggarwal

Journal of Digital Forensics, Security and Law

Software tools designed for disk analysis play a critical role today in forensics investigations. However, these digital forensics tools are often difficult to use, usually task specific, and generally require professionally trained users with IT backgrounds. The relevant tools are also often open source requiring additional technical knowledge and proper configuration. This makes it difficult for investigators without some computer science background to easily conduct the needed disk analysis. In this paper, we present AUDIT, a novel automated disk investigation toolkit that supports investigations conducted by non-expert (in IT and disk technology) and expert investigators. Our proof of concept design …

Exploring Forensic Implications Of The Fusion Drive, Shruti Gupta, Marcus Rogers

Journal of Digital Forensics, Security and Law

This paper explores the forensic implications of Apple’s Fusion Drive. The Fusion Drive is an example of auto-tiered storage. It uses a combination of a flash drive and a magnetic drive. Data is moved between the drives automatically to maximize system performance. This is different from traditional caches because data is moved and not simply copied. The research included understanding the drive structure, populating the drive, and then accessing data in a controlled setting to observe data migration strategies. It was observed that all the data is first written to the flash drive with 4 GB of free space always …

An Efficient Similarity Digests Database Lookup – A Logarithmic Divide & Conquer Approach, Frank Breitinger, Christian Rathgeb, Harald Baier

Journal of Digital Forensics, Security and Law

Investigating seized devices within digital forensics represents a challenging task due to the increasing amount of data. Common procedures utilize automated file identification, which reduces the amount of data an investigator has to examine manually. In the past years the research field of approximate matching arises to detect similar data. However, if n denotes the number of similarity digests in a database, then the lookup for a single similarity digest is of complexity of O(n). This paper presents a concept to extend existing approximate matching algorithms, which reduces the lookup complexity from O(n) to O(log(n)). Our proposed approach is based …

Testing Framework For Mobile Device Forensics Tools, Maxwell Anobah, Shahzad Saleem, Oliver Popov

Journal of Digital Forensics, Security and Law

The proliferation of mobile communication and computing devices, in particular smart mobile phones, is almost paralleled with the increasing number of mobile device forensics tools in the market. Each mobile forensics tool vendor, on one hand claims to have a tool that is best in terms of performance, while on the other hand each tool vendor seems to be using different standards for testing their tools and thereby defining what support means differently. To overcome this problem, a testing framework based on a series of tests ranging from basic forensics tasks such as file system reconstruction up to more complex …

Quantifying Relevance Of Mobile Digital Evidence As They Relate To Case Types: A Survey And A Guide For Best Practice, Shahzad Saleem, Ibrahim Baggili, Oliver Popov

Journal of Digital Forensics, Security and Law

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a dataset of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to the most relevant type …

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Journal of Digital Forensics, Security and Law

Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. …

A State-Of-The-Art Review Of Cloud Forensics, Sameera Almulla, Youssef Iraqi, Andrew Jones

Journal of Digital Forensics, Security and Law

Cloud computing and digital forensics are emerging fields of technology. Unlike traditional digital forensics where the target environment can be almost completely isolated, acquired and can be under the investigators control; in cloud environments, the distribution of computation and storage poses unique and complex challenges to the investigators. Recently, the term “cloud forensics” has an increasing presence in the field of digital forensics. In this state-of-the-art review, we included the most recent research efforts that used “cloud forensics” as a keyword and then classify the literature into three dimensions: (1) survey-based, (2) technology-based and (3) forensics-procedural-based. We discuss widely accepted …

A Study Of Forensic Imaging In The Absence Of Write-Blockers, Gary C. Kessler, Gregory H. Carlton

Security Studies & International Affairs - Daytona Beach

"Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. …

Educating The Next Generation Of Cyberforensic Professionals, Mark Pollitt, Philip Craiger

J. Philip Craiger, Ph.D.

Information Security Challenge Of Qr Codes, Nik Thompson, Kevin Lee

Journal of Digital Forensics, Security and Law

The discipline of information security must adapt to new technologies and methods of interaction with those technologies. New technologies present both challenges and opportunities for the security professional, especially for areas such as digital forensics. Challenges can be in the form of new devices such as smartphones or new methods of sharing information, such as social networks. One such rapidly emerging interaction technology is the use of Quick Response (QR) codes. These offer a physical mechanism for quick access to Web sites for advertising and social interaction. This paper argues that the common implementation of QR codes potentially presents security …

Analysis Of A Second Hand Google Mini Search Appliance, Stephen Larson

Journal of Digital Forensics, Security and Law

Information and the technological advancements for which mankind develops with regards to its storage has increased tremendously over the past few decades. As the total amount of data stored rapidly increases in conjunction with the amount of widely available computer-driven devices being used, solutions are being developed to better harness this data (LaTulippe, 2011). One of these solutions is commonly known as a search appliance. Search appliances have been used in e-discovery for several years. The Google Mini Search Appliance (Mini) has not only been used for e-discovery, but for indexing and searching internal documents. To accomplish these tasks, search …

The Advanced Data Acquisition Model (Adam): A Process Model For Digital Forensic Practice, Richard Adams, Val Hobbs, Graham Mann

Journal of Digital Forensics, Security and Law

As with other types of evidence, the courts make no presumption that digital evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with its production. The issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained and in particular the process in which the data is captured and stored. Previous process models have tended to focus on one particular area of digital forensic practice, such as law enforcement, and have not incorporated a formal description. We contend that this approach has prevented the …

Identifying And Attributing Similar Traces With Greatest Common Factor Analysis, Fred Cohen

Journal of Digital Forensics, Security and Law

This paper presents an algorithm for comparing large numbers of traces to each other and identifying and presenting groups of traces with similar features. It is applied to forensic analysis in which groups of similar traces are automatically identified and presented so that attribution and other related claims may be asserted, and independently confirmed or refuted. The approach of this paper is to identify an approximate algorithm that will find a large subset of greatest common factor similar groups of arbitrary factors in far less time and space than an exact algorithm using examiner-provided selection criteria for factor definition.

Research Toward A Partially-Automated, And Crime Specific Digital Triage Process Model, Gary Cantrell, David Dampier, Yoginder S. Dandass, Nan Niu, Chris Bogen

Computer Sciences and Electrical Engineering Faculty Research

The digital forensic process as traditionally laid out begins with the collection, duplication, and authentication of every piece of digital media prior to examination. These first three phases of the digital forensic process are by far the most costly. However, complete forensic duplication is standard practice among digital forensic laboratories.

The time it takes to complete these stages is quickly becoming a serious problem. Digital forensic laboratories do not have the resources and time to keep up with the growing demand for digital forensic examinations with the current methodologies. One solution to this problem is the use of pre-examination techniques …